Abstract
We present a new black-box mutational fuzzing technology and the corresponding tool which named FFFuzzer to improve the efficiency of fuzzing towards serveral given suspicious vulnerable code blocks.
Our main intuition is by adjusting dynamic taint tracing and doing constraint verification, we can build 2 quite light filters to sieve the mutated input, which is the result of fuzzing’s mutation stage, thus FFFuzzer can runs under fuzzing level speed while enjoys better accuracy and schedulability. We collect 14 CVEs that can get enough details to generate a POC from the PDF rendering library poppler’s recent 10 years bug list as our benchmark to fully analyzes FFFuzzer’s real world challenges. And we build 2 mathematical models to do performance analysis. Analysis and experiments show although FFFuzzer has limitations on fuzzing metadata-related vulnerabilities and its efficiency also depends on seed file like traditional fuzzer, FFFuzzer has much powerful parallellism and it can run an order of magnitude faster than traditional fuzzer.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
BAP’s intermediate language.
- 2.
Bap.Std.Bitvector.extract_exn.
- 3.
OCaml source code filename extension, like .cpp.
- 4.
Shifted means X’s value starts from 1 not 0, see details in https://en.wikipedia.org/wiki/Geometric_distribution.
References
Bao, T., Zheng, Y., Lin, Z., Zhang, X., Xu, D.: Strict control dependence and its effect on dynamic information flow analyses. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, ISSTA 2010, pp. 13–24. ACM, New York (2010). http://doi.acm.org/10.1145/1831708.1831711
Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: automatically dissecting malicious binaries (2007)
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22110-1_37
Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 317–329, October 2007
Cadar, C., Dunbar, D., Engler, D.: Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008). http://dl.acm.org/citation.cfm?id=1855741.1855756
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: automatically generating inputs of death. Acm Trans. Inform. Syst. Secur. 12(2), 1–38 (2008)
CERT/CC: Bff. https://www.cert.org/vulnerability-analysis/index.cfm, basic Fuzzing Framework
Cha, S.K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: 2015 IEEE Symposium on Security and Privacy, pp. 725–741, May 2015
Eddington, M.: Peach fuzzer. http://www.peachfuzzer.com, grammar based fuzzer
feseal: Pin tracer - a tracer based on pin: Intels dynamic binary instrumentation engine (2016). https://github.com/BinaryAnalysisPlatform/bap-pintraces
Freedesktop: Pdf rendering library. https://poppler.freedesktop.org/
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, ICSE 2009, pp. 474–484. IEEE Computer Society, Washington, DC (2009). http://dx.doi.org/10.1109/ICSE.2009.5070546
Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. SIGPLAN Not. 40(6), 213–223 (2005). http://doi.acm.org/10.1145/1064978.1065036
Godefroid, P., Levin, M.Y., Molnar, D.: Sage: whitebox fuzzing for security testing. Commun. ACM 55(3), 40–44 (2012). http://doi.acm.org/10.1145/2093548.2093564
Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Usenix Conference on Security, pp. 49–64 (2013)
Hoger, T.: Array indexing error in xpdf. https://bugzilla.redhat.com/show_bug.cgi?id=638960, bug track in bugzilla
Householder, A.: Well theres your problem: Isolating the crash-inducing bits in a fuzzed file. Technical report CMU/SEI-2012-TN-018, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2012). http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=28043
Kang, M.G., Mccamant, S., Poosankam, P., Song, D.: Dta++: dynamic taint analysis with targeted control-flow propagation. In: Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, February 2011
eSage Lab: Ioctl fuzzer. https://github.com/Cr4sh/ioctlfuzzer, windows NT kernel fuzzer
Labs, C.: zzuf. http://caca.zoy.org/wiki/zzuf, multi-purpose fuzzer
MITRE: Cve: Common vulnerabilities and exposures. https://cve.mitre.org/, the Standard for Information Security Vulnerability Names
Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the Usenix Security Symposium, Montreal, Canada, 10–14 August 2009, pp. 67–82 (2009)
Mozilla: Web-based general-purpose bugtracker and testing tool. https://bugzilla.mozilla.org/
NVD: National vulnerability database. https://nvd.nist.gov/home.cfm, automating vulnerability management, security measurement, and compliance checking
Press, A.: Adobe Type 1 Font Format, 1st edn. Addison-Wesley Longman Publishing Co. Inc., Boston (1990)
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and privacy (SP), pp. 317–331. IEEE (2010)
Sec, I.: Spike fuzzer. https://www.blackhat.com/presentations/bh-usa-02/bh-us-02-aitel-spike.ppt, network protocol fuzzer
Sen, K., Marinov, D., Agha, G.: Cute: a concolic unit testing engine for C. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pp. 263–272. ACM, New York (2005). http://doi.acm.org/10.1145/1081706.1081750
Slowinska, A., Bos, H.: Pointless tainting? evaluating the practicality of pointer tainting. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009, pp. 61–74. ACM, New York (2009). http://doi.acm.org/10.1145/1519065.1519073
Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, Amsterdam (2007)
Symantec: Online computer security news portal and purveyor of information security services. http://www.securityfocus.com/
Wang, T., Wei, T., Gu, G., Zou, W.: Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution. ACM Trans. Inf. Syst. Secur. 14(2), 15:1–15:28 (2011). http://doi.acm.org/10.1145/2019599.2019600
Yang, X., Chen, Y., Eide, E., Regehr, J.: Finding and understanding bugs in c compilers. SIGPLAN Not. 46(6), 283–294 (2011). http://doi.acm.org/10.1145/1993316.1993532
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Jiang, F., Zhang, C., Cheng, S. (2017). FFFuzzer: Filter Your Fuzz to Get Accuracy, Efficiency and Schedulability. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-59870-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59869-7
Online ISBN: 978-3-319-59870-3
eBook Packages: Computer ScienceComputer Science (R0)